The Credential Store is based on the Windows Data Protection API (DPAPI). DPAPI encrypts data using a private key derived from a user’s Windows identity. Once encrypted, data can only be decrypted by the same Windows user.
Refer to below articles for how the credentials are stored and settings for DPAPI
You cannot truly "mask" any data you are entering into the designer. You can encrypt the contents of a variable, so they are not visible in the saved os file (by enabling the Encrypt property of the variable in the Properties window), however when opened in Studio, they would still be visible to the developer. You can "mask" data from being logged into the RuntimeLog, by right-clicking on any blue line and selecting "Sensitive".